Transcript slides

Design and Implementation of the AEGIS
Single-Chip Secure Processor Using
Physical Random Functions
G. Edward Suh, Charles W. O’Donnell,
Ishan Sachdev, and Srinivas Devadas
Massachusetts Institute of Technology
1
New Security Challenges
• Computing devices are becoming distributed,
unsupervised, and physically exposed
– Computers on the Internet (with untrusted owners)
– Embedded devices (cars, home appliances)
– Mobile devices (cell phones, PDAs, laptops)
• Attackers can physically tamper with devices
– Invasive probing
– Non-invasive measurement
– Install malicious software
• Software-only protections are not enough
2
Distributed Computation
• How can we “trust” remote computation?
Example: Distributed Computation on the Internet (SETI@home, etc.)
DistComp()
{
x = Receive();
result = Func(x);
Send(result);
}
Receive() { … }
• Need a secure platform
Send(…) { … }
Func(…) { … }
– Authenticate “itself (device)”
– Authenticate “software”
– Guarantee the integrity and privacy of “execution”
3
Existing Approaches
Tamper-Proof Package: IBM 4758
Sensors to detect attacks
Expensive
Continually battery-powered
Trusted Platform Module (TPM)
A separate chip (TPM) for
security functions
Decrypted “secondary” keys
can be read out from the bus
4
Our Approach
• Build a secure computing platform with only trusting a
“single-chip” processor (named AEGIS)
Security
Kernel
(trusted part
of an OS)
Identify
Protected Environment
Protect
I/O
Memory
• A single chip is easier and cheaper to protect
• The processor authenticates itself, identifies the security
kernel, and protects off-chip memory
5
Contributions
• Physical Random Functions (PUFs)
– Cheap and secure way to authenticate the processor
• Architecture to minimize the trusted code base
– Efficient use of protection mechanisms
– Reduce the code to be verified
• Integration of protection mechanisms
– Additional checks in MMU
– Off-chip memory encryption and integrity verification (IV)
• Evaluation of a fully-functional RTL implementation
– Area Estimate
– Performance Measurement
6
Physical Random Function
(PUF – Physical Unclonable Function)
7
Problem
Storing digital information in a device in a way that is
resistant to physical attacks is difficult and expensive.
EEPROM/ROM
Probe
Processor
• Adversaries can physically extract secret keys from
EEPROM while processor is off
• Trusted party must embed and test secret keys in a
secure location
• EEPROM adds additional complexity to manufacturing
8
Our Solution:
Physical Random Functions (PUFs)
• Generate keys from a complex physical system
Hard to fully
characterize
or predict
characterize
Physical System
configure
Response (n-bits)
Challenge (c-bits)
Processor
Use as a secret
Can generate many
secrets by changing
the challenge
• Security Advantage
– Keys are generated on demand  No non-volatile secrets
– No need to program the secret
– Can generate multiple master keys
• What can be hard to predict, but easy to measure?
9
Silicon PUF – Concept
• Because of random process variations, no two Integrated
Circuits even with the same layouts are identical
– Variation is inherent in fabrication process
– Hard to remove or predict
– Relative variation increases as the fabrication process advances
• Experiments in which identical circuits with identical
layouts were placed on different ICs show that path delays
vary enough across ICs to use them for identification.
Challenge
c-bits
Response
n-bits
Combinatorial
Circuit
10
A (Simple) Silicon PUF
c-bit
Challenge
Rising
Edge
1
0
0
[VLSI’04]
1
1
1
0
0
0
0
0
1
1
1
1
0
1
…
0
D Q
G
1 if top
path is
faster,
else 0
Each challenge creates two paths through the circuit that are
excited simultaneously. The digital response of 0 or 1 is
based on a comparison of the path delays by the arbiter
We can obtain n-bit responses from this circuit by either
duplicate the circuit n times, or use n different challenges
Only use standard digital logic  No special fabrication
11
PUF Experiments
• Fabricated 200 “identical” chips with PUFs in TSMC
0.18m on 5 different wafer runs
Security
– What is the probability that
a challenge produces
different responses on two
different PUFs?
Reliability
– What is the probability that
a PUF output for a
challenge changes with
temperature?
– With voltage variation?
12
Inter-Chip Variation
• Apply random challenges and observe 100 response bits
Measurement noise for Chip X = 0.9 bits
Probability Density Function
0.25
Measurement Noise
Inter-Chip Variation
0.2
0.15
0.1
Distance between Chip X and Y
responses = 24.8 bits
0.05
0 Can identify
0individual
5
10
15
20
25
30
ICs
Hamming Distance (# of different bits, out of 100)
35
40
13
Environmental Variations
• What happens if we change voltage and temperature?
Measurement noise at 125C
(baseline at 20C) = 3.5 bits
Probability Density Function
0.25
Measurement Noise
Inter-Chip Variation
Voltage Variation Noise
Temp Variation Noise
0.2
Measurement noise with
Evenvariation
with environmental
variation,
10% voltage
= 4 bits
0.15
we can still distinguish two different
PUFs
0.1
0.05
0
0
5
10
15
20
25
30
Hamming Distance (# of different bits, out of 100)
35
40
14
Reliable PUFs
PUFs can be made more secure and reliable by adding
extra control logic
Challenge
c
Response
BCH
nDecoding
PUF
For
ForRe-generation
calibration
Syndrome
One-Way
Hash
Function
BCH
Encoding
New Response
k
Syndrome
n-k
• Hash function (SHA-1,MD5) precludes PUF “model-building” attacks
since, to obtain PUF output, adversary has to invert a one-way
function
• Error Correcting Code (ECC) can eliminate the measurement noise
without compromising security
15
Architecture Overview
16
Authentication
• The processor identifies security kernel by computing the
kernel’s hash (on the l.enter.aegis instruction)
– Similar to ideas in TCG TPM and Microsoft NGSCB
– Security kernel identifies application programs
• H(SKernel) is used to produce a unique key for security
kernel from a PUF response (l.puf.secret instruction)
– Security kernel provides a unique key for each application
Application
(DistComp)
Security
Kernel
H(App)
Message Authentication Code (MAC)
A server can authenticate the processor,
the security kernel, and the application
H(SKernel)
17
Protecting Program State
• On-chip registers and caches
– Security kernel handles context switches and permission checks
in MMU
External Memory
Processor
ENCRYPT /
DECRYPT
write
INTEGRITY
VERIFICATION
read
• Memory Encryption [MICRO36][Yang 03]
– Counter-mode encryption
• Integrity Verification [HPCA’03,MICRO36,IEEE S&P ’05]
– Hash trees
18
A Simple Protection Model
• How should we apply the
authentication and
protection mechanisms? Encrypted
• What to protect?
&
Integrity
Verified
– All instructions and data
– Both integrity and privacy
• What to trust?
– The entire program code
– Any part of the code can
read/write protected data
Uninitialized Data
(stack, heap)
Initialized Data
(.rodata, .bss)
Hash

Program
Identity
Program Code
(Instructions)
Memory Space
19
What Is Wrong?
• Large Trusted Code Base
– Difficult to verify to be bug-free
– How can we trust shared libraries?
• Applications/functions have varying security requirements
– Do all code and data need privacy?
– Do I/O functions need to be protected?
 Unnecessary performance and power overheads
• Architecture should provide flexibility so that software can
choose the minimum required trust and protection
20
Distributed Computation Example
DistComp()
{
x = Receive();
• Obtaining a secret key
and computing a MAC
– Need both privacy and
integrity
result = Func(x);
key = get_puf_secret();
mac = MAC(x,result,key);
Send(result,mac);
}
• Computing the result
– Only need integrity
• Receiving the input and
sending the result (I/O)
– No need for protection
– No need to be trusted
21
AEGIS Memory Protection
• Architecture provides five
different memory regions
Receive(),
Unprotected
Send() data
– Applications choose how to use
• Static (read-only)
– Integrity verified
– Integrity verified & encrypted
MAC() data
Dynamic
Verified
Func() data
• Dynamic (read-write)
– Integrity verified
– Integrity verified & encrypted
• Unprotected
• Only authenticate code in the
verified regions
Dynamic
Encrypted
Static
Encrypted
Static
Verified
Func(), MAC()
Receive(),
Unprotected
Send()
Memory Space
22
Suspended Secure Processing (SSP)
• Two security levels within
a process
– Untrusted code such as
Receive() and Send()
should have less privilege
• Architecture ensures that
SSP mode cannot tamper
with secure processing
– No permission for
protected memory
– Only resume secure
processing at a specific
point
Insecure (untrusted) Modes
Start-up
STD
SSP
Resume
Compute
Hash
Suspend
TE/PTR
Secure Modes
23
Implementation & Evaluation
24
Implementation
• Fully-functional system on an FPGA board
– AEGIS (Virtex2 FPGA), Memory (256MB SDRAM), I/O (RS-232)
– Based on openRISC 1200 (a simple 4-stage pipelined RISC)
– AEGIS instructions are implemented as special traps
Processor (FPGA)
RS-232
External Memory
25
Area Estimate
I/O (UART, SDRAM ctrl, debug unit)
Cache
(16KB)
1.050mm2
Code ROM
(11KB)
0.138mm2
IV Unit
(5 SHA-1)
1.075mm2
Scratch
Pad (2KB)
0.261mm2
0.258mm2
Encryption Unit
(3 AES)
0.864mm2
Cache (4KB)
0.504mm2
PUF 0.027mm2
0.086mm2
I-Cache
(32KB)
D-Cache
(32KB)
Core
0.512mm2
1.815mm2
2.512mm2
• Synopsys DC with
TSMC 0.18u lib
• New instructions
and PUF add 30K
gates, 2KB mem
(1.12x larger)
• Off-chip protection
adds 200K gates,
20KB memory
(1.9x larger total)
• The area can be
further optimized
26
Performance Slowdown
• Performance overhead
comes from off-chip
protections
• Synthetic benchmark
– Reads 4MB array with a
varying stride
– Measures the slowdown for
a varying cache miss-rate
• Slowdown is reasonable
for realistic miss-rates
– Less than 20% for integrity
– 5-10% additional for
encryption
Slowdown (%)
D-Cache
miss-rate
Integrity
Integrity +
Privacy
6.25%
3.8
8.3
12.5%
18.9
25.6
25%
31.5
40.5
50%
62.1
80.3
100%
130.0
162.0
27
EEMBC/SPEC Performance
Slowdown (%)
• 5 EEMBC kernels and
1 SPEC benchmark
• EEMBC kernels have
negligible slowdown
– Low cache miss-rate
– Only ran 1 iteration
• SPEC twolf also has
reasonable slowdown
Benchmark
Integrity
Integrity +
Privacy
routelookup
0.0
0.3
ospf
0.2
3.3
autocor
0.1
1.6
conven
0.1
1.3
fbital
0.0
0.1
twolf (SPEC)
7.1
15.5
28
Related Projects
• XOM (eXecution Only Memory)
–
–
–
–
Stated goal: Protect integrity and privacy of code and data
Operating system is completely untrusted
Memory integrity checking does not prevent replay attacks
Privacy enforced for all code and data
• TCG TPM / Microsoft NGSCB / ARM TrustZone
– Protects from software attacks
– Off-chip memory integrity and privacy are assumed
• AEGIS provides “higher security” with “smaller Trusted
Computing Base (TCB)”
29
Summary
• Physical attacks are becoming more prevalent
– Untrusted owners, physically exposed devices
– Requires secure hardware platform to trust remote
computation
• The trusted computing base should be small to
be secure and cheap
– Hardware: single-chip secure processor
• Physical random functions
• Memory protection mechanisms
– Software: suspended secure processing
• Initial overheads of the AEGIS single-chip
secure processor is promising
30
Questions?
More information on www.csg.csail.mit.edu
31